Oct 16, 2013 at 1:05 PM
Edited Oct 16, 2013 at 1:05 PM
What is pykd version?
0.3.x - is unstable version and has no hardware support yet
I try this sample with pykd 0.2.0.24:
>>>ntdll = module("ntdll")
>>>setBp( ntdll.NtCreateFile, 1, 4, lambda x: dprintln("hello!") ) # equivalent ba e1 ntdll!NtCreateFile
It works good enough.
1) If you run script by !py, you should known it works in separeted python machine and all object include breakpoint will be deleted on the script end.
If you want a "global" breakpoint, you should use !pycmd interpreter - it works in global python interpreter:
2) Read once again EreTIk. Hardware breakpoint is set by writting values into debug registries ( DRx ). These regsiters are the part of the thread context. And these ontext may be cleared on process start.